|Sign In | Register|
|ThreatExpert: System Overview|
|This overview describes what ThreatExpert is and how you can use this system to minimize the impact of threat infections discovered on your network.|
|What is ThreatExpert?|
ThreatExpert is an innovative system of providing a rapid, detailed
description and analysis of the behavioral effects and changes that a threat makes
to a computer’s operating system upon infection. System administrators and researchers
can use this information to minimize the impact of a threat infection on a computer
Threats can end up on a computer from numerous sources, via e-mail, using chat programs such as Messenger or IRC programs, or by browsing sites containing malware on the Internet. Whilst the presence of a threat file on a computer does not necessarily compromise the computer itself, there are several mechanisms by which it can be run without the user’s knowledge. Once run, the threat infection can result in unexpected computer behavior.
When infections are detected within an organization’s network, it is the role of system administrators to identify the source of the infections and remove them as quickly as possible. Infected computers on a network can result in severe losses due to communication problems through impaired network and Internet access, and the unauthorized release of confidential information outside the organization.
When new suspected threat files are identified, system administrators can send these files to an Internet security company, such as an anti-virus or anti-malware vendor, for analysis. These companies investigate the threats and sometime later, possibly ranging from a few up to 48 hours later, depending on the complexity of the threat; provide updated database definitions to remove them. In some circumstances, if the threat warrants additional research, a detailed description of it is subsequently posted on the Internet.
Nevertheless, the downtime between identifying the relevant threat files and receiving a database update to remove the infection can result in severe financial losses to an organization.
This is where ThreatExpert steps in. ThreatExpert takes a threat file, places it in a self-contained simulated virtual environment, deliberately executes the threat in this environment and then monitors its behavior. A combination of file, Windows Registry and memory snapshots are recorded, in addition to a series of specific ‘hooks’ that intercept communication routes typically exploited by threat infections. These hooks ‘deceive’ the threat into communicating across a simulated network, whereas the threat’s communication actions are actually being recorded in detail by ThreatExpert. Using this invaluable recorded data, a detailed report is generated, consisting of file and Windows Registry changes, memory dump analyses, and other important system activities caused by the threat.
An analogy to ThreatExpert is that of a ‘sting operation’ set up by a law enforcement organization to catch a criminal suspect in the act of a specific crime. In successful sting operations, the suspect commits the crime under deception, allowing the law enforcement organization to monitor their very movements and determine if they are the culprit.
ThreatExpert is capable of providing a detailed analysis report of a threat within a matter or minutes. This information could prove invaluable to system administrators who can use it to initiate rapid abatement strategies on new infections before Internet security companies respond with updated database definitions that remove the threats.
|How do you submit files to ThreatExpert?|
|Suspected threats can be submitted to ThreatExpert through the web submission form.|
|All that is required for the submission of a suspected threat to ThreatExpert is the threat executable or dll file and a valid e-mail address.|
|After submitting your file, the ThreatExpert system processes the suspected threat and sends its detailed report on it to your supplied e-mail address. This usually occurs within a matter of minutes. However, depending on demands on the ThreatExpert system, several more minutes may be required in order for your submission to be processed.|
|How do you read the ThreatExpert report?|
|When the Threat Export threat report arrives in your e-mail Inbox, it is provided as a zipped attachment with the password ‘threatexpert’. Some Threat Expert reports may contain a representation of code that some Internet security software may perceive as potentially malicious. Hence, zipping these reports with a password is a convenient method of preventing these applications from deleting the report attachment before it arrives in your Inbox. Please note that Threat Export reports are not malicious, and any malicious code representations they contain are rendered harmless.|
The Threat Export report is provided in Microsoft MHTML format, which is readily viewable in Windows Internet Explorer. The report is divided into several sections covering specific exploit behaviors, file and registry changes, the presence of hidden files and rootkits and the country of origin of the threat. Not all information may be available on a threat, such as the country of origin, but ThreatExpert comprehensively lists all threat information that could possibly be derived.
A Threat Export report is divided into a number of sections:
This detailed report is sufficient for a system administrator to utilize in order to minimize the impact of a new threat infecting their network in the shortest possible time, and it can also be used to provide a second opinion on threat analyses that have been conducted by other sources.